(version 1) (define sandbox-level %d) (define macosMajorVersion %d) (define macosMinorVersion %d) (define appPath "%s") (define appBinaryPath "%s") (define appDir "%s") (define home-path "%s") (import "/System/Library/Sandbox/Profiles/system.sb") (if (or (< macosMinorVersion 9) (= sandbox-level 0)) (allow default) (begin (deny default) (debug deny) (define resolving-literal literal) (define resolving-subpath subpath) (define resolving-regex regex) (define container-path appPath) (define appdir-path appDir) (define var-folders-re "^/private/var/folders/[^/][^/]") (define var-folders2-re (string-append var-folders-re "/[^/]*/[^/]")) (define (home-regex home-relative-regex) (resolving-regex (string-append "^" (regex-quote home-path) home-relative-regex))) (define (home-subpath home-relative-subpath) (resolving-subpath (string-append home-path home-relative-subpath))) (define (home-literal home-relative-literal) (resolving-literal (string-append home-path home-relative-literal))) (define (container-regex container-relative-regex) (resolving-regex (string-append "^" (regex-quote container-path) container-relative-regex))) (define (container-subpath container-relative-subpath) (resolving-subpath (string-append container-path container-relative-subpath))) (define (container-literal container-relative-literal) (resolving-literal (string-append container-path container-relative-literal))) (define (var-folders-regex var-folders-relative-regex) (resolving-regex (string-append var-folders-re var-folders-relative-regex))) (define (var-folders2-regex var-folders2-relative-regex) (resolving-regex (string-append var-folders2-re var-folders2-relative-regex))) (define (appdir-regex appdir-relative-regex) (resolving-regex (string-append "^" (regex-quote appdir-path) appdir-relative-regex))) (define (appdir-subpath appdir-relative-subpath) (resolving-subpath (string-append appdir-path appdir-relative-subpath))) (define (appdir-literal appdir-relative-literal) (resolving-literal (string-append appdir-path appdir-relative-literal))) (define (allow-shared-preferences-read domain) (begin (if (defined? `user-preference-read) (allow user-preference-read (preference-domain domain))) (allow file-read* (home-literal (string-append "/Library/Preferences/" domain ".plist")) (home-regex (string-append "/Library/Preferences/ByHost/" (regex-quote domain) "\..*\.plist$"))) )) (define (allow-shared-list domain) (allow file-read* (home-regex (string-append "/Library/Preferences/" (regex-quote domain))))) (allow file-read-metadata) (allow ipc-posix-shm (ipc-posix-name-regex "^/tmp/com.apple.csseed:") (ipc-posix-name-regex "^CFPBS:") (ipc-posix-name-regex "^AudioIO")) (allow file-read-metadata (literal "/home") (literal "/net") (regex "^/private/tmp/KSInstallAction\.") (var-folders-regex "/") (home-subpath "/Library")) (allow signal (target self)) (allow job-creation (literal "/Library/CoreMediaIO/Plug-Ins/DAL")) (allow mach-lookup (global-name "com.apple.coreservices.launchservicesd") (global-name "com.apple.coreservices.appleevents") (global-name "com.apple.pasteboard.1") (global-name "com.apple.window_proxies") (global-name "com.apple.windowserver.active") (global-name "com.apple.cvmsServ") (global-name "com.apple.audio.coreaudiod") (global-name "com.apple.audio.audiohald") (global-name "com.apple.PowerManagement.control") (global-name "com.apple.cmio.VDCAssistant") (global-name "com.apple.SystemConfiguration.configd") (global-name "com.apple.iconservices") (global-name "com.apple.cookied") (global-name "com.apple.printuitool.agent") (global-name "com.apple.printtool.agent") (global-name "com.apple.cache_delete") (global-name "com.apple.pluginkit.pkd") (global-name "com.apple.bird") (global-name "com.apple.DesktopServicesHelper") (global-name "com.apple.printtool.daemon")) (allow iokit-open (iokit-user-client-class "AppleGraphicsControlClient") (iokit-user-client-class "IOHIDParamUserClient") (iokit-user-client-class "IOAudioControlUserClient") (iokit-user-client-class "IOAudioEngineUserClient") (iokit-user-client-class "IGAccelDevice") (iokit-user-client-class "nvDevice") (iokit-user-client-class "nvSharedUserClient") (iokit-user-client-class "IGAccelGLContext") (iokit-user-client-class "nvFermiGLContext") (iokit-user-client-class "AGPMClient") (iokit-user-client-class "IOSurfaceRootUserClient") (iokit-user-client-class "IGAccelSharedUserClient") (iokit-user-client-class "IGAccelVideoContextMain") (iokit-user-client-class "IGAccelVideoContextMedia") (iokit-user-client-class "IGAccelVideoContextVEBox") (iokit-user-client-class "RootDomainUserClient") (iokit-user-client-class "IOUSBDeviceUserClientV2") (iokit-user-client-class "IOUSBInterfaceUserClientV2")) ; depending on systems, the 1st, 2nd or both rules are necessary (allow-shared-preferences-read "com.apple.HIToolbox") (allow file-read-data (literal "/Library/Preferences/com.apple.HIToolbox.plist")) (allow file-read* (subpath "/Library/Fonts") (subpath "/Library/Audio/Plug-Ins") (subpath "/Library/CoreMediaIO/Plug-Ins/DAL") (subpath "/Library/Spelling") (subpath "/private/etc/cups/ppd") (subpath "/private/var/run/cupsd") (literal "/") (literal "/private/tmp") (literal "/private/var/tmp") (home-literal "/.CFUserTextEncoding") (home-literal "/Library/Preferences/com.apple.DownloadAssessment.plist") (home-subpath "/Library/Colors") (home-subpath "/Library/Fonts") (home-subpath "/Library/FontCollections") (home-subpath "/Library/Keyboard Layouts") (home-subpath "/Library/Input Methods") (home-subpath "/Library/PDF Services") (home-subpath "/Library/Spelling") (subpath appdir-path) (literal appPath) (literal appBinaryPath)) (allow-shared-list "org.mozilla.plugincontainer") ; the following 2 rules should be removed when microphone and camera access ; are brokered through the content process (allow device-microphone) (allow device-camera) (allow file* (var-folders2-regex "/com\.apple\.IntlDataCache\.le$")) (allow file-read* (var-folders2-regex "/com\.apple\.IconServices/")) (allow file-write* (var-folders2-regex "/org\.chromium\.[a-zA-Z0-9]*$")) ; the following rules should be removed when printing and ; opening a file from disk are brokered through the main process (allow file* (require-all (subpath home-path) (require-not (home-subpath "/Library")))) ; printing (allow authorization-right-obtain (right-name "system.print.operator") (right-name "system.printingmanager")) (allow mach-lookup (global-name "com.apple.printuitool.agent") (global-name "com.apple.printtool.agent") (global-name "com.apple.printtool.daemon") (global-name "com.apple.sharingd") (global-name "com.apple.metadata.mds") (global-name "com.apple.mtmd.xpc") (global-name "com.apple.FSEvents") (global-name "com.apple.locum") (global-name "com.apple.ImageCaptureExtension2.presence")) (allow file-read* (home-literal "/.cups/lpoptions") (home-literal "/.cups/client.conf") (literal "/private/etc/cups/lpoptions") (literal "/private/etc/cups/client.conf") (subpath "/private/etc/cups/ppd") (literal "/private/var/run/cupsd")) (allow-shared-preferences-read "org.cups.PrintingPrefs") (allow-shared-preferences-read "com.apple.finder") (allow-shared-preferences-read "com.apple.LaunchServices") (allow-shared-preferences-read ".GlobalPreferences") (allow network-outbound (literal "/private/var/run/cupsd") (literal "/private/var/run/mDNSResponder")) ; print preview (if (> macosMinorVersion 9) (allow lsopen)) (allow file-write* file-issue-extension (var-folders2-regex "/")) (allow file-read-xattr (literal "/Applications/Preview.app")) (allow mach-task-name) (allow mach-register) (allow file-read-data (regex "^/Library/Printers/[^/]+/PDEs/[^/]+.plugin") (subpath "/Library/PDF Services") (subpath "/Applications/Preview.app") (home-literal "/Library/Preferences/com.apple.ServicesMenu.Services.plist")) (allow mach-lookup (global-name "com.apple.pbs.fetch_services") (global-name "com.apple.tsm.uiserver") (global-name "com.apple.ls.boxd") (global-name "com.apple.coreservices.quarantine-resolver") (global-name-regex "_OpenStep$")) (allow appleevent-send (appleevent-destination "com.apple.preview") (appleevent-destination "com.apple.imagecaptureextension2")) ) )